Planning DNS Zone Implementations

When users divide up the DNS namespace, DNS zones are created. Breaking up the namespace into zones enables DNS to more efficiently manage available bandwidth usage, which in turn improves DNS performance.

When determining how to break up the DNS zones, a few considerations to take include:

DNS traffic patterns: use the System Monitor tool to examine DNS performance counters and to obtain DNS server statistics.

Network link speed: The types of network links that exist between DNS servers should be determined when users plan the zones for their environment.

Whether full DNS servers or caching-only DNS servers are being used also affects how users break up DNS zones.

The main zone types used in Windows Server 2003 DNS environments are primary zones and Active Directory-integrated zones. The question on whether to implement primary zones or Active Directory-integrated zones would be determined by the environment’s DNS design requirements.

Both primary zones and secondary zones are standard DNS zones that use zone files. The main difference between primary zones and secondary zones is that primary zones can be updated. Secondary zones contain read-only copies of zone data. A secondary DNS zone can only be updated through DNS zone transfer. Secondary DNS zones are usually implemented to provide fault tolerance for the DNS server environment.

An Active Directory-integrated zone can be defined as an improved version of a primary DNS zone because it can use multi-master replication and the security features of Active Directory. The zone data of Active Directory-integrated zones are stored in Active Directory. Active Directory-integrated zones are authoritative primary zones.

A few advantages that Active Directory-integrated zone implementations have over standard primary zone implementations are:

Active Directory replication is faster, which means that the time needed to transfer zone data between zones is far less.

The Active Directory replication topology is used for Active Directory replication and for Active Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and Active Directory are integrated.

Active Directory-integrated zones can enjoy the security features of Active Directory.

The need to manage Active Directory domains and DNS namespaces as separate entities is eliminated. This in turn reduces administrative overhead.

When DNS and Active Directory are integrated, the Active Directory-integrated zones are replicated and stored on any new domain controllers automatically. Synchronization takes place automatically when new domain controllers are deployed.

The mechanism that DNS utilizes to forward a query that one DNS server cannot resolve to another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to forward DNS queries for different DNS namespace to those DNS servers who can answer the query. A DNS server is configured as a DNS forwarder when users configure the other DNS servers to direct any unresolved queries to a specific DNS server. Creating DNS forwarders can improve name resolution efficiency.

Windows Server 2003 DNS introduces a new feature called conditional forwarding. With conditional forwarding, users create conditional forwarders within their environment that will forward DNS queries based on the specific domain names being requested in the query. This differs from DNS forwarders where the standard DNS resolution path to the root was used to resolve the query. A conditional forwarder can only forward queries for domains that are defined in the particular conditional forwarders list. The query is passed to the default DNS forwarder if there are no entries in the forwarders list for the specific domain queried.

When conditional forwarders are configured, the process to resolve domain names is illustrated below:

A client sends a query to the DNS server for name resolution.

The DNS server checks its DNS database file to determine whether it can resolve the query with its zone data.

The DNS server also checks its DNS server cache to resolve the request.

If the DNS server is not configured to use forwarding, the server uses recursion to attempt to resolve the query.

If the DNS server is configured to forward the query for a specific domain name to a DNS forwarder, the DNS server then forwards the query to the IP address of its configured DNS forwarder.

A few considerations for configuring forwarders for the DNS environment are:

Only implement the DNS forwarders that are necessary for the environment. Refrain from creating loads of forwarders for the internal DNS servers.

Avoid chaining your DNS servers together in a forwarding configuration.

To avoid the DNS forwarder turning into a bottleneck, do not configure one external DNS forwarder for all the internal DNS servers.